Bug / gap
src/entrabot/sandbox/binary.py ships placeholder SHA256 pins for the Windows binaries:
PINNED_HASHES = {
"darwin-arm64": "700e9e71...bbccff36", # real, verified
"win32-x86_64": "0000...0000", # placeholder
"win32-amd64": "0000...0000", # placeholder
...
}
resolve_and_verify() fails closed against these zeros (correct — an unverified binary must not run), but it means run_code cannot execute on Windows until a real hash is pinned.
Fix
- Obtain
wxc-exec.exe from the Windows MXC preview (pin the exact MXC version + commit, as done for darwin-arm64: v0.6.1, commit 161598f).
- Compute its SHA256 and replace the
win32-x86_64 / win32-amd64 placeholders.
- Record provenance in the comment above
PINNED_HASHES (version, commit, any local patch — macOS needed scripts/mxc-mac-stdin-compat.patch; confirm whether Windows needs none).
- Confirm
get_binary_name() returns wxc-exec.exe for win32 (it does today) and that resolve_and_verify() passes end-to-end.
Severity
Blocks the Windows port (#92) — fail-closed verification rejects the placeholder binary, so nothing runs.
Parent: #92 · macOS Phase 1: #86
Bug / gap
src/entrabot/sandbox/binary.pyships placeholder SHA256 pins for the Windows binaries:resolve_and_verify()fails closed against these zeros (correct — an unverified binary must not run), but it meansrun_codecannot execute on Windows until a real hash is pinned.Fix
wxc-exec.exefrom the Windows MXC preview (pin the exact MXC version + commit, as done for darwin-arm64: v0.6.1, commit161598f).win32-x86_64/win32-amd64placeholders.PINNED_HASHES(version, commit, any local patch — macOS neededscripts/mxc-mac-stdin-compat.patch; confirm whether Windows needs none).get_binary_name()returnswxc-exec.exeforwin32(it does today) and thatresolve_and_verify()passes end-to-end.Severity
Blocks the Windows port (#92) — fail-closed verification rejects the placeholder binary, so nothing runs.
Parent: #92 · macOS Phase 1: #86